Thank you

Sorry

The term "security theater" was coined to describe the array of security measures at U.S. airports -- taking off shoes, patting down children and the elderly -- that project an image of toughness without making commercial aviation any safer. But the man who came up with the phrase is famous cybersecurity expert Bruce Schneier, and it could just as easily apply to a number of common tech security measures. We talked to an array of tech experts to discover what security technologies are often just for show.

Orlando Scott-Cowley, cybersecurity strategist at email security company Mimecast, is irritated by the many ordinary (and perfectly secure) online transactions that are given theatrical window dressing in the form of boastful splash screens. "There are quite a few websites that, post-login, display some sort of message similar to 'Securely getting your account details' or 'Setting up a secure connection,'" he says. "It’s such a shame and complete theater when it comes to security." (Sometimes these messages are displayed in Flash, and having a Flash-blocker installed can demonstrate just how pointless they are.)

Most PC users probably consider antivirus protection to be a baseline part of a secure PC. But Ajit Sancheti, co-founder and CEO of Preempt, a still-in-stealth IT security company, thinks antivirus software are mostly theater. "It does very little to stop malware and ransomware, but does a lot to inconvenience users, especially from a performance standpoint," he says. "Along with with hardware performance degradation through OS updates, antivirus is quite likely the key reason for employee PC refresh cycles."

Barry Shteiman, director of Labs at Exabeam, agrees. "Every company makes anti-malware/virus detection a top spend in its security budget," he says. "It's standard to have antivirus installed on every endpoint computer with a flashy icon in the task bar that essentially tells you, 'You are secure from malware!' Unfortunately, that is simply not true. Every piece of malware today, especially industrialized-crime driven ones, are building anti-antivirus tools as part of the payload, bypassing endpoint protection as if it wasn’t even there."

Garry McCracken, vice president of technology at WinMagic, thinks that firewalls and perimeter security measures have a certain theatrical quality -- they're "something that everyone does, but it doesn’t make enterprises secure anymore," he says. "The gates have been stormed, and firewalls can no longer keep the bad guys out. Most big enterprises are in a constant state of breach, so new strategies and technologies are needed. Assume that your network is, or will be breached, detect it, minimize the impact and recover quickly." Instead of investing more money and resources in ever more elaborate perimeter defense, he advises that you work to "keep the 'blast radius' as small as possible (i.e., contain the damage any one breach can make) or backup every 10 minutes so the restore point can be very recent."

Nathan Burke, vice president of marketing at security incident response specialist at Hexadite, knows that too much data about potential threats can be overwhelming. "Installing multiple security products that produce an insane volume of alerts and then not doing anything with those alerts is IT security theater," he says. "There are far too many alerts for people to handle manually without automation. So security teams are hearing the alarms go off constantly, but they're only able to investigate 5% or less of the incidents that trigger them."

Philip Lieberman, president of Lieberman Software, agrees. "Most companies ignore the alerts because there is such a high false alarm rate," he says. "And nobody activates immediate countermeasures because they're scared of the consequences of user wrath."

Cedric Caldwell, solutions architect at IT consultancy Adapture, notes that many companies want to "say that they have met the security requirements to secure their environment and their network, where they have IPS, firewall, etc. But what do you do with that data once you have these devices on your network? Are you looking at data? Someone might implement a firewall and not pay attention to the hits on that firewall."

"Big corporations are usually good about combing through data," he adds, "but I tend to see this on a smaller scale, at companies that don’t really have the manpower to do that. They check the box and buy the equipment, but they’re not actually taking the next step to say, 'OK, what is this thing really capturing?'"

For Dimitri Sirota, CEO and Co-founder enterprise privacy management platform at BigID, the most visible security theater is the security measure you encounter most often: passwords. "Passwords act as a front door lock to a house; get past the lock and you have free reign inside without other protections," he says. "For most people they are a weak link since users prefer easy to remember over hard to decipher." He feels a password that isn't just the first layer of a defense in depth is just theater.

Nigel Stanley, practice director in cyber security at OpenSky, the IT consultancy arm of TÜV Rheinland, is particularly miffed at passwords that ostentatiously demand to be changed once a month. "Why 30 days?" he asks. "What happens at day 31 to create a security risk?"

Stu Sjouwerman, founder and CEO at KnowBe4, thinks that security theater happens at the training level too. The example he gives is a company that “sends simulated phishing attacks, but only once every 90 days, and not preceded by interactive, engaging, web-based training that really explains the risks on the Internet. Result? Employees feeling hassled and no measurable decrease in phish-prone percentage."

OpenSky's Stanley sneers at the tendency of some security companies to sell their products with military-sounding adjectives, which may sound tough but don't actually represent more secure systems. "I include terms such as 'military-grade encryption,' 'flash to bang,' 'kill chain,' and 'detonate,'" he says. "WTF? Not descriptive, not helpful."

J. Colin Petersen, president and CEO at J Digital Identity, thinks that when IT staff reject any and all user requests in the name of security, that's a kind of performance. "For instance," he says, "an end user might request access to a certain resource, and instead of figuring out a secure way to grant the user access, the IT professional will just stonewall and say something like 'Sorry, that compromises security and I can't allow that.'"

Shlomo Touboul, CEO at illusive networks, says that the tendency to share data about breaches you've experienced can amount to a performance as well. "When a new massive attack on a specific sector is discovered, other companies within that sector are immediately alerted. But this doesn't make them safer," he says. "Every enterprise has different attack vectors embedded in its network and nearly all are invisible to them but discovered and utilized by attackers. While sharing information about specific attacks might help patch some systems, they do nothing to expose hidden attack vectors, leaving enterprises feeling secure when they're not."

It's not just technical folks who get on stage in the wake of a breach, says Mimecast's Scott-Cowley. "The most heinous of crimes is the glib post-breach statement that 'we take security (of data/of our customers/of our service) seriously," he says. "This is trotted out by CEOs and PR departments in the press release they issue once someone has managed to breach their obviously very unserious security. Often they’ll use the phrase 'sophisticated and coordinated attack' as well, which to me is also complete nonsense. Those two phrases go hand in hand to cover up the fact that weak security was breached and hackers gained access to resources of data in the face of little or no resistance."

We'd be remiss, though, if we didn't offer a contrarian view from BigID's Sirota "Security theater isn’t all bad," he says. "It does act as a deterrent. Police forces in cities aren’t arresting people 24/7. However, their presence acts as a deterrent. You see the same effect with military forces. We’re not always fighting someone but running drills reminds enemies of capability." Sometimes, in other words, a weak password or firewall is still better than nothing at all.